Postgres: no password / trusted host configuration

Suggest Edits

Even when you have a trusted host, it is strongly recommended not to accept connections without authentication. The reason is simple: one day a trusted host, another day -- a compromised host.

In order to create barriers and bulkheads that will reduce risk, create a natural overhead and give enough time to response teams to roll in, there should not be any "blind trust" in your network and all services and connections should hold a good degree of authenticity: this means authentication and authorization.

From the documentation:

"The trust method allows any user from the defined host to connect to a PostgreSQL database without the use of a password, as any PostgreSQL user. You are trusting the host-based authentication with the use of this method, and any user on the specified host. This is a dangerous condition if the specified host is not a secure machine, or provides access to users unknown to you."

Problem

In pg_hba.conf, locate trust:

host	all	192.168.1.10	255.255.255.255	trust

Fix

In pg_hba.conf, use some other method of trust:

host	all	192.168.1.10	255.255.255.255	crypt

See

On trusting hosts in postgres

Updated about 1 year ago